<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=3" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <title>ESET research (@ESETresearch): &quot;#ESETresearch has identified Linux and FreeBSD variants of the #Hive #Ransomware. Just like the Windows version, these variants are written in #Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate. 1&#x2F;6&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="ESET research (@ESETresearch)" />
    <meta property="og:description" content="#ESETresearch has identified Linux and FreeBSD variants of the #Hive #Ransomware. Just like the Windows version, these variants are written in #Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate. 1/6" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/media%2FFC4AaiJXsAI6JCd.png%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFC4AaiJXsAI6JCd.png" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFC4AaiJXsAI6JCd.png" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="image/png" href="/pic/media%2FFC4Aah7WUAICzCP.jpg%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFC4Aah7WUAICzCP.jpg" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFC4Aah7WUAICzCP.jpg" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/ESETresearch/status/1454100591261667329?s=20"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <form class="icon-button" method="get" action="/settings">
            <input name="referer" value="/ESETresearch/status/1454100591261667329?s=20#m" style="display: none; " />
            <button type="submit"><div class="icon-container"><span class="icon-cog" title="Preferences"></span></div></button>
          </form>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div id="m" class="main-tweet"><div class="timeline-item thread thread-line"><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454100591261667329#m" title="29/10/2021, 14:59:31">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto"><a href="/search?q=%23ESETresearch">#ESETresearch</a> has identified Linux and FreeBSD variants of the <a href="/search?q=%23Hive">#Hive</a> <a href="/search?q=%23Ransomware">#Ransomware</a>. Just like the Windows version, these variants are written in <a href="/search?q=%23Golang">#Golang</a>, but the strings, package names and function names have been obfuscated, likely with gobfuscate. 1/6</div>
                <div class="attachments"><div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FFC4AaiJXsAI6JCd.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFC4AaiJXsAI6JCd.png%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FFC4Aah7WUAICzCP.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFC4Aah7WUAICzCP.jpg%3Fname%3Dsmall" alt="" /></a></div>
                  </div></div>
                <p class="tweet-published">2:59 PM · Oct 29, 2021</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 5</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 103</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 10</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 239</div></span>
                </div>
              </div></div></div>
          <div class="after-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/ESETresearch/status/1454100747080118273#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454100747080118273#m" title="29/10/2021, 15:00:08">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">In their analysis of the Windows variant of Hive last month, <a href="/Netskope" title="Netskope">@Netskope</a> highlighted facts hinting that the group might have the ability to infect other OSes. Our findings confirm those suspicions. <a href="https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals">netskope.com/blog/hive-ranso…</a> 2/6</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFC4A4mAXIAIZUYN.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFC4A4mAXIAIZUYN.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 16</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/ESETresearch/status/1454100857008574465#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454100857008574465#m" title="29/10/2021, 15:00:34">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">That being said, the Linux variant we analyzed seems buggy, as the encryption process does not work when the malware is executed with an explicit path. 3/6</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 13</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/ESETresearch/status/1454101079054905345#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454101079054905345#m" title="29/10/2021, 15:01:27">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">It also only supports only one command line parameter (-no-wipe), while the Windows variant supports up to 5 execution options. 4/6</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFC4BFDkXoAsnEwT.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFC4BFDkXoAsnEwT.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 8</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/ESETresearch/status/1454101342901899266#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454101342901899266#m" title="29/10/2021, 15:02:30">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">The malware also tries to write the ransom note and key information file to the filesystem root, so unless executed with root privileges, it fails and the encryption is not even triggered. These facts lead us to believe that the Linux variant is still in development phase. 5/6</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFC4Bcj2X0AUeDLb.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFC4Bcj2X0AUeDLb.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 5</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 20</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/ESETresearch/status/1454101625409265665#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ESETresearch"><img class="avatar" src="/pic/profile_images%2F1244546916106612736%2FsvU0TBgH_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ESETresearch" title="ESET research">ESET research</a>
                        <a class="username" href="/ESETresearch" title="@ESETresearch">@ESETresearch</a>
                      </div>
                      <span class="tweet-date"><a href="/ESETresearch/status/1454101625409265665#m" title="29/10/2021, 15:03:38">Oct 29</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">IoCs: 
Linux x86-64 ELF : 77D7614156607B68265B122FB35A1D408625CB96
FreeBSD x86-64 ELF: 10BD0F1D3122D6575E882BA8F025EB11B0A95B61 

/4oEi_HOW_TO_DECRYPT.txt
*..21k5p

Linux/Filecoder.Hive.A trojan
FreeBSD/Filecoder.Hive.A trojan

194.5.252[.]190
6/6</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 5</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 16</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div id="r" class="replies">
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/ToddHelfrich/status/1454491739096600585#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ToddHelfrich"><img class="avatar" src="/pic/profile_images%2F1364917805288722435%2F-aAQj_G1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ToddHelfrich" title="Todd Helfrich">Todd Helfrich</a>
                        <a class="username" href="/ToddHelfrich" title="@ToddHelfrich">@ToddHelfrich</a>
                      </div>
                      <span class="tweet-date"><a href="/ToddHelfrich/status/1454491739096600585#m" title="30/10/2021, 16:53:48">Oct 30</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/ESETresearch">@ESETresearch</a> <a href="/CyberSecurityN8">@CyberSecurityN8</a></div>
                <div class="tweet-content media-body" dir="auto"><a href="/search?q=%23datacloak">#datacloak</a></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 0</div></span>
                </div>
              </div>
            </div></div>
          <div class="show-more"><a href="?cursor=LBkmgsC5lZy7gK4oksC%252B2fmhsq8oJQYRAAA%253D#r">Load more</a></div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>